The concept of zero trust is that nothing should be trusted by default. Most of us are trying to work our way to zero trust but are not there yet. Until then, you can take steps to protect your networks better, starting with handling passwords better in your domain. Here are some tips:
Use Microsoft’s LAPS toolkit
By now I hope everyone has deployed Microsoft’s Local Administrator Password Solution (LAPS) toolkit. It should be the starting point for any organization. As the download instructions note:
“[LAPS] mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers. LAPS stores the password for each computer’s local administrator account in Active Directory, secured in a confidential attribute in the computer’s corresponding Active Directory object. The computer is allowed to update its own password data in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.”
For anyone moving to non-domain joined machines or cloud virtual machines, the Azure marketplace has several options for deploying a unique local administrator password for Intune-joined machines. The first is LAPS with Intune by Synergix Labs, LAPS for Azure also by Synergix Labs, and Admin Password Manager for Enterprise by GreyCorbel Solutions. Any of these solutions ensure that as you move assets to the cloud, the local administrator password will not be an easy entry point for an attacker.